risepro | fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4

General

Target

fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe
Size

81.4MB
MD5

f2c4bf49d9d2bf6b68507fddfe4b4882
SHA1

2699920d1e4f0f3623fce7a4f3883106fcb05d69
SHA256

fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4
SHA512

38a535ec1385f4c6e11d4119038095376caf0ba33dac96c6263a79a29faecfd047ef0e014acf0893820cc63f2c0420272ba397662d9495c36b86b2d70baa1e43
SSDEEP

1572864:hB5eZ35ERdfoUrM425QLYhE78X2Iiq6vcF/cfPKF1UfylTgfllqEGJ:hB5eMDgUre3E7acfPC1Ufye9I

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	1440	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3796	InstallerSoftware_v5j.1h.0.exe
508	Installer_Software_v1.6a.1y.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 1744	1440	powershell.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
508	Installer_Software_v1.6a.1y.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	508	Installer_Software_v1.6a.1y.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeShutdownPrivilege	1440	powershell.exe
Token: SeCreatePagefilePrivilege	1440	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 3796	688	fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe	73
PID 688 wrote to memory of 3796	688	fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe	73
PID 688 wrote to memory of 3796	688	fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe	73
PID 3796 wrote to memory of 508	3796	InstallerSoftware_v5j.1h.0.exe	74
PID 3796 wrote to memory of 508	3796	InstallerSoftware_v5j.1h.0.exe	74
PID 3796 wrote to memory of 508	3796	InstallerSoftware_v5j.1h.0.exe	74
PID 508 wrote to memory of 1440	508	Installer_Software_v1.6a.1y.exe	77
PID 508 wrote to memory of 1440	508	Installer_Software_v1.6a.1y.exe	77
PID 508 wrote to memory of 1440	508	Installer_Software_v1.6a.1y.exe	77
PID 1440 wrote to memory of 1744	1440	powershell.exe	79
PID 1440 wrote to memory of 1744	1440	powershell.exe	79
PID 1440 wrote to memory of 1744	1440	powershell.exe	79
PID 1440 wrote to memory of 1744	1440	powershell.exe	79

C:\Users\Admin\AppData\Local\Temp\fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe
"C:\Users\Admin\AppData\Local\Temp\fcfca4565cbc5d565c50ac5321beb9c9797569ce52b8df21f9cc2caad25aa2b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\InstallerSoftware_v5j.1h.0\InstallerSoftware_v5j.1h.0.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallerSoftware_v5j.1h.0\InstallerSoftware_v5j.1h.0.exe" -pYJKRCe1x4g1M
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer_Software_v1.6a.1y.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer_Software_v1.6a.1y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Blocklisted process makes network request
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        5⤵
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallerSoftware_v5j.1h.0\InstallerSoftware_v5j.1h.0.exe

Filesize
80.2MB

MD5
b73e09ccf446645e51df979f7b30d675

SHA1
91d87430e03795fdb9a4452b57881b792035bf29

SHA256
cb9910c5288ea1355744ba8060f73d5629e75136da2d200996cadf2090a6ac0b

SHA512
4281a37cda7df3d903ad38c894f947ff0c2787893b818b6d8ca7122ea6e1d9d200f5a80a75d072aa4daa65d34af186629fe1d2262208e59cba41705f472d1c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer_Software_v1.6a.1y.exe

Filesize
707.7MB

MD5
0ba6db3aa0ce411288ef991ecf30b6e2

SHA1
a7cb38951d683558346b944b7c4b7ce3fb8ddbc1

SHA256
35cb27b07242b7ec59171f28e864a53217e475a516d35f140897801fc0da15bf

SHA512
3cf29bc1e7a935786d2ed61d5542b6aefd4ec3936840db5e87fb00a70712f3f479afe571329d33e3ebc16aea126dc51e06dd71a935519b18c05e61a7fa6d02ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ahtgiaes.ud5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/508-21-0x0000000031260000-0x0000000031270000-memory.dmp

Filesize
64KB

Download
memory/508-19-0x00000000316A0000-0x0000000031B9E000-memory.dmp

Filesize
5.0MB

Download
memory/508-20-0x0000000031280000-0x0000000031312000-memory.dmp

Filesize
584KB

Download
memory/508-18-0x0000000000650000-0x0000000001650000-memory.dmp

Filesize
16.0MB

Download
memory/508-22-0x0000000031330000-0x000000003133A000-memory.dmp

Filesize
40KB

Download
memory/508-23-0x0000000047EC0000-0x0000000047F5C000-memory.dmp

Filesize
624KB

Download
memory/508-24-0x0000000047F60000-0x0000000047FC6000-memory.dmp

Filesize
408KB

Download
memory/508-25-0x00000000722A0000-0x000000007298E000-memory.dmp

Filesize
6.9MB

Download
memory/508-26-0x0000000031260000-0x0000000031270000-memory.dmp

Filesize
64KB

Download
memory/508-180-0x00000000722A0000-0x000000007298E000-memory.dmp

Filesize
6.9MB

Download
memory/508-17-0x00000000722A0000-0x000000007298E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-35-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1440-133-0x000000000A7E0000-0x000000000AE58000-memory.dmp

Filesize
6.5MB

Download
memory/1440-33-0x00000000075D0000-0x0000000007BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1440-34-0x0000000007D60000-0x0000000007D82000-memory.dmp

Filesize
136KB

Download
memory/1440-32-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-36-0x0000000007F10000-0x0000000008260000-memory.dmp

Filesize
3.3MB

Download
memory/1440-37-0x00000000082A0000-0x00000000082BC000-memory.dmp

Filesize
112KB

Download
memory/1440-38-0x00000000082E0000-0x000000000832B000-memory.dmp

Filesize
300KB

Download
memory/1440-30-0x00000000722A0000-0x000000007298E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-57-0x0000000009510000-0x000000000954C000-memory.dmp

Filesize
240KB

Download
memory/1440-88-0x00000000095D0000-0x0000000009646000-memory.dmp

Filesize
472KB

Download
memory/1440-31-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-134-0x000000000A1A0000-0x000000000A1BA000-memory.dmp

Filesize
104KB

Download
memory/1440-135-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-160-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-169-0x000000001FE60000-0x0000000020064000-memory.dmp

Filesize
2.0MB

Download
memory/1440-170-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-173-0x000000000A210000-0x000000000A232000-memory.dmp

Filesize
136KB

Download
memory/1440-174-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/1440-29-0x0000000006E30000-0x0000000006E66000-memory.dmp

Filesize
216KB

Download
memory/1440-178-0x00000000722A0000-0x000000007298E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-176-0x0000000000780000-0x00000000008D3000-memory.dmp

Filesize
1.3MB

Download
memory/1744-181-0x0000000000780000-0x00000000008D3000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing